Microsoft Slams WebGL, Considers It Harmful

Don't expect Microsoft to endorse WebGL (Web-based Graphics Library), the Khronos Group's cross-platform, low-level 3D graphics API for the web. Though it's supported in Mozilla Firefox and Google Chrome, and will be coming to future versions of Apple Safari and Opera, Microsoft is refusing to support WebGL in its current form because several security risks make it harmful, the Redmond software giant said.

"Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft's Security Development Lifecycle requirements," Microsoft said in a blog post.

One of Microsoft's key concerns is that browser support for WebGL directly exposes hardware functionality to the Web in a way it considers to be overly permissive. According to Microsoft, the security of WebGL as a whole depends on lower levels of the system, including OEM drivers, and while it might be possible to mitigate some of the risks, "the large attack surface exposed by WebGL remains a concern."

In addition to videocard driver vulnerabilities, Microsoft says WebGL relies too heavily on third parties to secure the Web experience. Microsoft caps off its concerns by pointing out problematic system DoS scenarios.

"We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities," Microsoft said. "In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."